Authentication is a term that refers to the process of proving that some fact or some document is genuine. In computer science, this term is typically associated with proving a user’s identity. Usually, a user proves their identity by providing their credentials, that is, an agreed piece of information shared between the user and the system.
Username and password combination is the most popular authentication mechanism, and it is also known as password authentication.
A well-known example is accessing a user account on a website or a service provider such as Facebook or Gmail. Before you can access your account, you must prove you own the correct login credentials. Services typically present a screen that asks for a username along with a password. Then, they compare the data inserted by the user with the values previously stored in an internal repository.
If you enter a valid combination of these credentials, the service provider will allow you to continue and will give you access to your account.
While the username may be public, like for example, an email address, the password must be confidential. Due to its confidentiality, passwords must be protected from steals by cybercriminals. In fact, although usernames and passwords are widely used on the internet, they are notorious for being a weak security mechanism that hackers exploit regularly.
The first way to protect them is by enforcing password strength, that is, a level of complexity so that malicious attackers cannot easily guess them. As a rule of thumb, a complex combination of lowercase and uppercase letters, numbers, and special characters results in a strong password. Otherwise, a poor combination of characters leads to a weak password.
End users notoriously tend to use weak passwords. In an annual report from SplashData, an internet security firm, they identified the 25 most common passwords. The list, based on millions of passwords exposed by data breaches, shows that millions of users rely on passwords like "123456" and "password" to authenticate.
It is a matter of usability since weak passwords are usually easier to remember. In addition, they often reuse the same password with different websites or services.
The combination of these situations may lead to security issues since weak passwords are easy to guess, and the leaked password can be used to access multiple services for the same user.
On the other hand, strong passwords used for authenticating can withstand brute force attacks but are useless against attacks like phishing and keylogger software or password stuffing. These types of attacks don’t try to guess the user’s password but steal it directly from the user.
Passwords are also an issue when not securely stored. For example, in a recent news report, Facebook was shown to have stored millions of Instagram passwords in plain text. Passwords should always be stored using best practices, such as hashing.
A specific category of credentials, like username and password, are usually said an authentication factor. Even if password authentication is the most well-known type of authentication, other authentication factors exist. There are three types of authentication factors typically classified as follows:
Something you know, for example, a password
Something you have, for example, a smartphone
Something you are, for example, biometric authentication
This authentication factor requires a user to show that they know something. Typically, this will be a password or a Personal Identification Number (PIN) shared among the user and the Identity Access Management (IAM) system.
To use this factor, the system requires the user to provide that shared information.
In this case, the user has to prove they have something, such as a smartphone, a smart card, a mailbox. The system presents a challenge to the user to make sure they have the required authentication factor. For example, it can send a Time-based One-Time-Password (TOTP) in a text message to the user's smartphone. Or it can send a text code via email.
This authentication factor is based on a piece of information that is in the user and is inherent to that user (inherence factor). Typically, this information is a biometric characteristic like fingerprints or voice. Also, facial recognition falls into this type of authentication factor.
The process of authentication based on just one factor is called Single-factor authentication.
This is the common case of simply using usernames and passwords for user authentication, but it applies to any other authentication factor. As discussed above, password authentication may be a weak authentication mechanism. Research has shown that around 76% of companies have experienced a phishing attack, while 81% of data breaches are based on stolen or weak passwords.
You can use additional authentication factors to increase the security of the authentication process. For example, in your Google account, you can enable a notification transmission to your mobile device after the usual authentication based on username and password. In this case, you are using a Two-factor authentication (2FA), that is, an authentication mechanism based on two categories of credentials: something you know and something you have. By adding this second factor, your account is more secure. In fact, even if an attacker steals your password, they can’t authenticate because they are missing the second authentication factor.
You can combine multiple authentication factors, further increasing your identity security. In this case, you are using a Multiple-factor authentication (MFA). Of course, 2FA is just a form of MFA.
As the name says, passwordless authentication is an authentication mechanism that doesn’t use a password. The primary motivation for this type of authentication is to mitigate password fatigue, that is the effort required for the user to remember and keep secure a strong password.
Removing the need to memorize passwords also helps to make phishing attacks useless.
You can do passwordless authentication with any authentication factor based on what you have and what you are. For example, you can let the user access a service or an application by sending a code via email or through facial recognition.
As Auth0 is an identity-as-a-service company, authentication resides at the core of our services. Monthly, Auth0 handles 2.5 billion authentication processes to help companies of all sizes secure their systems. Every single employee working at Auth0 is somehow involved in making authentication processes more secure and easier to implement.
From compliance certifications like ISO27001 and SOC 2 Type II to security features like breached password detection, Auth0 employees work around the clock to provide world-class authentication solutions that fit every company's needs. If you want to learn more about authentication or about how Auth0 can help you implement it securely, check out this training.
Keep reading at our Intro to IAM page to explore more topics around Identity and Access Management.
Why is passwordless authentication used? (pick all that apply)
What is an example of something you have in an authentication system? (pick all that apply)